Merge pull request #641

Add separate interface option for import pcap

CHANGELOG.md

@@ -10,6 +10,10 @@ Every entry has a category for which we use the following visual abbreviations:
 
 ## [Unreleased]
 
+- 🔄 The `import pcap` command no longer takes interface names via `--read,-r`,
+  but instead from a separate option named `--interface,-i`. This change has
+  been made for consistency with other tools. (#641)
+
 ## [0.2] - 2019-10-30
 
 - 🎁 The default schema for Suricata has been updated to support the new

libvast/src/format/pcap.cpp

@@ -24,6 +24,7 @@
 #include "vast/table_slice.hpp"
 #include "vast/table_slice_builder.hpp"
 
+#include <caf/config_value.hpp>
 #include <caf/settings.hpp>
 
 #include <thread>
@@ -55,8 +56,10 @@ reader::reader(caf::atom_value id, const caf::settings& options,
                std::unique_ptr<std::istream>)
   : super(id), packet_type_{pcap_packet_type} {
   using defaults_t = vast::defaults::import::pcap;
-  using caf::get_or;
+  using caf::get_if;
   std::string category = defaults_t::category;
+  if (auto interface = get_if<std::string>(&options, category + ".interface"))
+    interface_ = *interface;
   input_ = get_or(options, category + ".read", defaults_t::read);
   cutoff_ = get_or(options, category + ".cutoff", defaults_t::cutoff);
   max_flows_ = get_or(options, category + ".max-flows", defaults_t::max_flows);
@@ -110,29 +113,20 @@ caf::error reader::read_impl(size_t max_events, size_t max_slice_size,
   // Initialize PCAP if needed.
   if (!pcap_) {
     // Determine interfaces.
-    pcap_if_t* iface;
-    if (::pcap_findalldevs(&iface, buf) == -1)
-      return make_error(ec::format_error,
-                        "failed to enumerate interfaces: ", buf);
-    for (auto i = iface; i != nullptr; i = i->next)
-      if (input_ == i->name) {
-        pcap_ = ::pcap_open_live(i->name, 65535, 1, 1000, buf);
-        if (!pcap_) {
-          ::pcap_freealldevs(iface);
-          return make_error(ec::format_error, "failed to open interface ",
-                            input_, ": ", buf);
-        }
-        if (pseudo_realtime_ > 0) {
-          pseudo_realtime_ = 0;
-          VAST_WARNING(this, "ignores pseudo-realtime in live mode");
-        }
-        VAST_DEBUG(this, "listens on interface " << i->name);
-        break;
+    if (interface_) {
+      pcap_ = ::pcap_open_live(interface_->c_str(), 65535, 1, 1000, buf);
+      if (!pcap_) {
+        return make_error(ec::format_error, "failed to open interface",
+                          *interface_, ":", buf);
+      }
+      if (pseudo_realtime_ > 0) {
+        pseudo_realtime_ = 0;
+        VAST_WARNING(this, "ignores pseudo-realtime in live mode");
       }
-    ::pcap_freealldevs(iface);
-    if (!pcap_) {
-      if (input_ != "-" && !exists(input_))
-        return make_error(ec::format_error, "no such file: ", input_);
+      VAST_DEBUG(this, "listens on interface", *interface_);
+    } else if (input_ != "-" && !exists(input_)) {
+      return make_error(ec::format_error, "no such file: ", input_);
+    } else {
 #ifdef PCAP_TSTAMP_PRECISION_NANO
       pcap_ = ::
         pcap_open_offline_with_tstamp_precision(input_.c_str(),

libvast/src/system/application.cpp

@@ -48,11 +48,9 @@ namespace vast::system {
 namespace {
 
 auto make_pcap_options(std::string_view category) {
-  return opts(category)
-    .add<std::string>("write,w", "path to write events to")
-    .add<bool>("uds,d", "treat -w as UNIX domain socket to connect to")
-    .add<size_t>("flush-interval,f", "flush to disk after this many "
-                                     "packets");
+  return sink_opts(category).add<size_t>("flush-interval,f",
+                                         "flush to disk after this many "
+                                         "packets");
 }
 
 auto make_root_command(std::string_view path) {
@@ -155,21 +153,16 @@ auto make_import_command() {
   import_->add_subcommand("suricata", "imports suricata eve json",
                           documentation::vast_import_suricata,
                           source_opts("?import.suricata"));
-  import_->add_subcommand(
-    "test", "imports random data for testing or benchmarking",
-    documentation::vast_import_test,
-    opts("?import.test")
-      .add<size_t>("seed", "the random seed")
-      .add<std::string>("schema-file,s", "path to alternate schema")
-      .add<std::string>("schema,S", "alternate schema as string"));
+  import_->add_subcommand("test",
+                          "imports random data for testing or benchmarking",
+                          documentation::vast_import_test,
+                          opts("?import.test"));
 #ifdef VAST_HAVE_PCAP
   import_->add_subcommand(
     "pcap", "imports PCAP logs from STDIN or file",
     documentation::vast_import_pcap,
-    opts("?import.pcap")
-      .add<std::string>("read,r", "path to input where to read events from")
-      .add<std::string>("schema,s", "path to alternate schema")
-      .add<bool>("uds,d", "treat -r as listening UNIX domain socket")
+    source_opts("?import.pcap")
+      .add<std::string>("interface,i", "network interface to read packets from")
       .add<size_t>("cutoff,c", "skip flow packets after this many bytes")
       .add<size_t>("max-flows,m", "number of concurrent flows to track")
       .add<size_t>("max-flow-age,a", "max flow lifetime before eviction")

libvast/vast/format/pcap.hpp

@@ -28,6 +28,7 @@
 #include "vast/time.hpp"
 
 #include <caf/expected.hpp>
+#include <caf/optional.hpp>
 
 #include <chrono>
 #include <pcap.h>
@@ -107,6 +108,7 @@ class reader : public single_layout_reader {
   time last_timestamp_ = time::min();
   int64_t pseudo_realtime_;
   std::string input_;
+  caf::optional<std::string> interface_;
 };
 
 /// A PCAP writer.